RE: [PHP-DB] how to hide source code??
I encourage you to create a file whatever.html and set it 701 and then look at it with a browsing by connecting to your webserver. http://server.com/~user/whatever.html will be displayed even though it is 701. I've done it many times. Adam On 29 Aug 2002, Mateus Cordeiro Inssa wrote: > Em Qui, 2002-08-29 às 17:48, Adam Williams escreveu: > > Apache can execute a file without reading it. Don't believe me? Make a > > file 701 and then open it in apache. > > Oh, yes, so can apache bypass the kernel ? I don't think so, unless it > is running as root or the file gets owned by the same user apache > runs. > > The "x" bit means the O.S. will try to execute that file. Your > argument it's like to say setting the "x" bit in .doc documents permit > or not its reading. > > The "x" could do something usefull to cgi's, they are really executed > (by execve system call). > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
Hi Reading a few of the answers which I missed (mail filters!) before I wrote the last email I thought I might add a little depth. If you are on a shared hosting machine then the answer fundamentally is no. The machine admin has absolute control over the machine and can see anything you put on there. Php also has a number of security settings and the default (which most shared hosters will use because it is easy) makes your code accessible to anybody else with access to the machine, though they need to know enough about php and Linux file systems to find their way around. So it comes down to how much security matters. You can make your code difficult to read or even have different bits on different servers. In the end anybody determined enough will be able to access it, but, unless it is very valuable or sensitive data, they probably won't bother :) You could get your own server - in the UK prices start at £75 (about US$100) per month, or you could host your own if you have a connection. These are both genuinely secure options. HTH Peter --- Excellence in internet and open source software --- Sunmaia www.sunmaia.net tel. 0121-242-1473 --- -Original Message- From: Smita Manohar [mailto:[EMAIL PROTECTED]] Sent: 29 August 2002 18:59 To: [EMAIL PROTECTED] Subject: [PHP-DB] how to hide source code?? hii im using php script with mysql. i want to hide the script from the admin or from the person who has privileges to access all the data. bcos i use ftp to upload the files. and i don't want anyone should be able to view the source. is it possible to do so? thnx and regds, smita. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
Em Qui, 2002-08-29 às 17:48, Adam Williams escreveu: > Apache can execute a file without reading it. Don't believe me? Make a > file 701 and then open it in apache. Oh, yes, so can apache bypass the kernel ? I don't think so, unless it is running as root or the file gets owned by the same user apache runs. The "x" bit means the O.S. will try to execute that file. Your argument it's like to say setting the "x" bit in .doc documents permit or not its reading. The "x" could do something usefull to cgi's, they are really executed (by execve system call). -- Mateus Cordeiro Inssa [EMAIL PROTECTED] Hyperdrive Sistemas signature.asc Description: PGP signature
RE: [PHP-DB] how to hide source code??
Apache can execute a file without reading it. Don't believe me? Make a file 701 and then open it in apache. Adam On 29 Aug 2002, Mateus Cordeiro Inssa wrote: > Em Qui, 2002-08-29 às 16:05, Adam Williams escreveu: > > oh yeah duh me, set it 701 > > > > Adam > > > > On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > > > > > Wouldn't that make php unable to read it as well? Then it is useless as well. > > Oh, please, setting "x" bit will permit what ? PHP has to READ the > file to execute it. > > And, if the admin has root privileges, what you can do to prevent him > to view the file (a plain text php file) ? > > One simple thing to do is to make the source so difficult to > understand that people would consider it unreadable. I think the right > term is to obfuscate the code. There is programs to do this to C, Perl, > Tcl, etc., but I don't know if there is one for PHP. > > Encryption is not enough because PHP would need to decrypt it. > > Hmm, and if you make a PHP module (binary) and use its functions from > the PHP plain text file ? > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
Forgive me for sticking my nose in the middle of this, but stupid question here: This sounds like more of an architectural thing. A further abstracted view of the information you're dealing with. You (Smita) stated that the admin needs to see all of the data and you're concerned about him (or her) seeing your code. Aren't the two separate? Application layer and data layer? This seems to suggest placing the data and application content in two separate areas of the web server and restricting rights to those directories. I believe this can be pulled off in the httpd.conf file if you're using Apache. I'm also pretty sure that's what the cgi-bin folder is for in most web hosting scenarios. As the admin of the site I can see what's in that folder, but nodody else can. I can't even see the folder from my browser. So I stick my scripts in there. Everything else goes in the public-html folder and users can see the source for that stuff, but they only see the results of the scripts executed on the server. Access to cgi-bin and public-html are both set in Apache's httpd.conf file. This would effectively differentiate between a data admin and the application admin (you). I haven't had to deal with this in the past and could definitely see it as a mjor concern down the road so I'm interested in what the real solution is. -Original Message- From: Ryan Jameson (USA) [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 3:18 PM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] how to hide source code?? Seems to me the truth is there is really no way to do this. Since an admin can take ownership any time he wants, and world read would allow anyone to view the source which is part of the problem. I've always thought that scripting languages should allow for source code encryption and have the parser program able to decrypt it based on a seed. No encryption is fool proof but it would be a step to protecting our intellectual property as coders. Compiled applications have this advantage already because once compiled to decompile it is an ugly process. In one case, in an ethically questionable situation, I chose to keep the applications "guts" on my own server, and had the customer's server request the page from my server using PHP's file() function. Checked things like requestor domain and such to validate the source of the request. It worked quite well, but added a point of failure to the system. It turned out I was correct to be concerned, the customer decided to not pay for it, and attempted to move the code to a production machine at which point it simply stopped working. :-) All they had was a few php files of only a few lines each. <>< Ryan -Original Message- From: Adam Williams [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 1:06 PM To: Ryan Jameson (USA) Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] how to hide source code?? oh yeah duh me, set it 701 Adam On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > Wouldn't that make php unable to read it as well? Then it is useless as well. > <>< Ryan > > -Original Message- > From: Adam Williams [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 29, 2002 1:00 PM > To: Smita Manohar > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DB] how to hide source code?? > > > set you to owner of the script and then chmod 700 it > > Adam > > On Thu, 29 Aug 2002, Smita Manohar wrote: > > > hii > > im using php script with mysql. i want to hide the script from the admin or > > from the person who has privileges to access all the data. bcos i use ftp to > > upload the files. and i don't want anyone should be able to view the source. > > > > is it possible to do so? > > > > thnx and regds, > > smita. > > > > > > > > _ > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > > > > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
The last idea is good, but it certainly is an excessive amount of effort. I've been coding PHP since 1998 and I have yet to need to build my own module. My goal with encryption would be to keep the average person out of the source code. I imagine if PHP were to allow for encrypted code within a month there would be a downloadable decrypter somewhere to be found. :-\ <>< Ryan -Original Message- From: Mateus Cordeiro Inssa [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 1:26 PM To: [EMAIL PROTECTED] Subject: RE: [PHP-DB] how to hide source code?? Em Qui, 2002-08-29 às 16:05, Adam Williams escreveu: > oh yeah duh me, set it 701 > > Adam > > On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > > > Wouldn't that make php unable to read it as well? Then it is useless as well. Oh, please, setting "x" bit will permit what ? PHP has to READ the file to execute it. And, if the admin has root privileges, what you can do to prevent him to view the file (a plain text php file) ? One simple thing to do is to make the source so difficult to understand that people would consider it unreadable. I think the right term is to obfuscate the code. There is programs to do this to C, Perl, Tcl, etc., but I don't know if there is one for PHP. Encryption is not enough because PHP would need to decrypt it. Hmm, and if you make a PHP module (binary) and use its functions from the PHP plain text file ? -- Mateus Cordeiro Inssa [EMAIL PROTECTED] Hyperdrive Sistemas -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
Em Qui, 2002-08-29 às 16:05, Adam Williams escreveu: > oh yeah duh me, set it 701 > > Adam > > On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > > > Wouldn't that make php unable to read it as well? Then it is useless as well. Oh, please, setting "x" bit will permit what ? PHP has to READ the file to execute it. And, if the admin has root privileges, what you can do to prevent him to view the file (a plain text php file) ? One simple thing to do is to make the source so difficult to understand that people would consider it unreadable. I think the right term is to obfuscate the code. There is programs to do this to C, Perl, Tcl, etc., but I don't know if there is one for PHP. Encryption is not enough because PHP would need to decrypt it. Hmm, and if you make a PHP module (binary) and use its functions from the PHP plain text file ? -- Mateus Cordeiro Inssa [EMAIL PROTECTED] Hyperdrive Sistemas signature.asc Description: PGP signature
RE: [PHP-DB] how to hide source code??
Seems to me the truth is there is really no way to do this. Since an admin can take ownership any time he wants, and world read would allow anyone to view the source which is part of the problem. I've always thought that scripting languages should allow for source code encryption and have the parser program able to decrypt it based on a seed. No encryption is fool proof but it would be a step to protecting our intellectual property as coders. Compiled applications have this advantage already because once compiled to decompile it is an ugly process. In one case, in an ethically questionable situation, I chose to keep the applications "guts" on my own server, and had the customer's server request the page from my server using PHP's file() function. Checked things like requestor domain and such to validate the source of the request. It worked quite well, but added a point of failure to the system. It turned out I was correct to be concerned, the customer decided to not pay for it, and attempted to move the code to a production machine at which point it simply stopped working. :-) All they had was a few php files of only a few lines each. <>< Ryan -Original Message- From: Adam Williams [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 1:06 PM To: Ryan Jameson (USA) Cc: [EMAIL PROTECTED] Subject: RE: [PHP-DB] how to hide source code?? oh yeah duh me, set it 701 Adam On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > Wouldn't that make php unable to read it as well? Then it is useless as well. > <>< Ryan > > -Original Message- > From: Adam Williams [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 29, 2002 1:00 PM > To: Smita Manohar > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DB] how to hide source code?? > > > set you to owner of the script and then chmod 700 it > > Adam > > On Thu, 29 Aug 2002, Smita Manohar wrote: > > > hii > > im using php script with mysql. i want to hide the script from the admin or > > from the person who has privileges to access all the data. bcos i use ftp to > > upload the files. and i don't want anyone should be able to view the source. > > > > is it possible to do so? > > > > thnx and regds, > > smita. > > > > > > > > _ > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > > > > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
oh yeah duh me, set it 701 Adam On Thu, 29 Aug 2002, Ryan Jameson (USA) wrote: > Wouldn't that make php unable to read it as well? Then it is useless as well. > <>< Ryan > > -Original Message- > From: Adam Williams [mailto:[EMAIL PROTECTED]] > Sent: Thursday, August 29, 2002 1:00 PM > To: Smita Manohar > Cc: [EMAIL PROTECTED] > Subject: Re: [PHP-DB] how to hide source code?? > > > set you to owner of the script and then chmod 700 it > > Adam > > On Thu, 29 Aug 2002, Smita Manohar wrote: > > > hii > > im using php script with mysql. i want to hide the script from the admin or > > from the person who has privileges to access all the data. bcos i use ftp to > > upload the files. and i don't want anyone should be able to view the source. > > > > is it possible to do so? > > > > thnx and regds, > > smita. > > > > > > > > _ > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > > > > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] how to hide source code??
Wouldn't that make php unable to read it as well? Then it is useless as well. <>< Ryan -Original Message- From: Adam Williams [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 1:00 PM To: Smita Manohar Cc: [EMAIL PROTECTED] Subject: Re: [PHP-DB] how to hide source code?? set you to owner of the script and then chmod 700 it Adam On Thu, 29 Aug 2002, Smita Manohar wrote: > hii > im using php script with mysql. i want to hide the script from the admin or > from the person who has privileges to access all the data. bcos i use ftp to > upload the files. and i don't want anyone should be able to view the source. > > is it possible to do so? > > thnx and regds, > smita. > > > > _ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] how to hide source code??
set you to owner of the script and then chmod 700 it Adam On Thu, 29 Aug 2002, Smita Manohar wrote: > hii > im using php script with mysql. i want to hide the script from the admin or > from the person who has privileges to access all the data. bcos i use ftp to > upload the files. and i don't want anyone should be able to view the source. > > is it possible to do so? > > thnx and regds, > smita. > > > > _ > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php